Public and private addressing

Keyboard Shortcuts

IP addresses come in two forms: public addresses, which are assigned by a central network authority and may be used to reach systems located across the Internet and private addresses, which are available for anyone’s use but may only be used on local networks and do not work across the Internet. In this video, learn the differences between public and private IP addresses and the use of Network Address Translation, or NAT.

- As we've discussed throughout this course,IP addresses uniquely identifysystems on a network.TCPIP-compatible devices use these addressesto correctly route packets across networks,but how are these addresses assigned?IP addresses come in two forms:public addresses, which are assignedby a central network authority andmay be used to reach systems locatedacross the internet, and private addresses,which are available for anyone's use,but may only be used on local networksand will not work across the internet.

Let's begin by discussing public IP addresses.These addresses are centrally managedby a group known as the Internet Corporationfor Assigned Names and Numbers, or ICANN.ICANN breaks addresses up into blocks,and gives them out to regional authoritiesin different countries for distribution.These regional authorities eachtake responsibility for a geographicportion of the world.For example, the American Registryfor Internet Numbers, or ARIN,governs the distribution of IP addressesin the United States and Canada.

One of the major issues with IP addressesis that they are a scarce resource,especially when it comes to the traditionaldotted quad IPv4 addresses.There are no large blocks of IPv4 addressesavailable for assignment today,and the only way to get thesepublic IP addresses is by purchasingor renting them from other organizations,such as internet service providers.In the early days of networking,many organizations would simply obtaina large block of public IP addressesand use them on all of their systems.

For example, if an organization ownedthe 8.1.0.0 network, they might have justfreely handed out those addresseson their own networks.The scarcity of IP addresses,combined with security concerns,makes this impractical today.Why are these addresses so scarce?With the dotted quad notation of IPv4,there are only 4.3 billion possible IP addresses.While this may sound like a lot,CISCO estimates that there are currentlyaround seven and a half billionmobile devices alone in the world today.

That count doesn't even include servers,desktop computers, network appliances,or any non-mobile devices.There simply aren't enough possible addressesto assign every device in the worlda unique public IP address.The solution to this dilemma is the useof private IP address ranges.When ICANN's predecessor organizationsdivided up the original IP address space,they reserved three different address rangesfor use on private networks.These ranges are the ten-network,from 10.0.0.1 to 10.255.255.255.

Another is the portion of the 172 network,from 172.16.0.1to 172.31.255.255.And the last is the 192.168 network,from 192.168.0.1to 192.168.255.255.These ranges are called private IP addressesand anyone can use them on their local networks.The only catch is that they are reservedfor use on private networks and can not be usedfor routing traffic across the internet.

Today, organizations typically use a balanceof public and private IP addresses.They use private addresses broadlywithin their private networks,assigning them to all of their internal systems.They then use a small number ofpublic IP addresses for systemsthat require public access.In the case of this network that formerly usedpublic addresses from the 8.1 range,administrators might instead assignprivate addresses from the 192.168 range.

You might have noticed one problemwith this approach.Systems that have private IP addressescannot communicate on the internetusing those addresses because theyare not internet-routable.Thousands of organizations around the worlduse those same private addresseson their own internal networks,so remote systems would have no way of tellingwhere reply traffic should actually go.The solution to this is a technologyknown as Network Address Translation, or NAT.Routers and firewalls perform NAT translationat the border of a network.

When a system with a private IP address,such as this laptop with private address192.168.1.1,wants to communicate on the internet,the NAT device lends the systema public IP address temporarilyfor use during that communication.It then records the public and privateIP address translation in a table,and when a reply comes in for that public address,the NAT device looks up the correspondingprivate address in the table,and then routes the packet to thecorrect system on the private network.

NAT does introduce new concernsfor security professionals.It does bring the privacy benefitof hiding IP addresses from the public internet,and limiting direct access to systems,but it also makes it difficultto correlate activity on a public IP addressback to the true originator.For this reason, most organizationsmaintain logs of their NAT translationsthat allow them to determine whowas using a particular public IP addressat any given time.NAT is a very useful technology,but it is somewhat limited becauseit requires a public IP addressfor every system on the networkthat needs to communicate on the internet.

Since most organizations have a limitedpool of public addresses, they can quicklyrun into a situation where that poolis exhausted and no new systemscan communicate on the internet.Port Address Translation, or PAT,solves this problem by allowing multiple systemsto share the same public address.Instead of recording translationsbetween IP addresses, PAT assigns each connectiona different port on a public IP address.This way, many different systemscan share the same public IP addressat any point in time.

Resume Transcript Auto-Scroll

Author

Released

4/4/2018

The Certified Information System Security Professional (CISSP) certification is an important component of any security professional's resume, and is a requirement for many top jobs. In this course, prepare for the fourth domain of the exam: Communications and Network Security. Instructor and cybersecurity expert Mike Chapple goes over TCP/IP networking, network security devices, and secure network design. Mike also includes coverage of specialized networking, network attacks, wireless networking, and more. The CISSP exam domains can be found here.

Note: This course is part of a series releasing throughout 2018. A completed learning path of the series will be available once all the courses are released.